Through pidgin's developers mailing list, I found this insightful comment by Eric Lippert on software users:
It's not that users are morons or that they "forget" to think. Its that users are trained to not think. Users very quickly learn from experience that:
- dialog boxes are modal. But users do not think of them as "modal", they think of them as "preventing me from getting any work done until I get rid of them."
- dialog boxes almost always go away when you click the leftmost or rightmost button
- dialog boxes usually say "If you want to tech the tech, you need to tech the tech with the teching tech tech. Tech the tech? Yes / No"
- If you press one of those buttons, something happens. If you press the other one, nothing happens. Very few users want nothing to happen -- in the majority of cases, whatever happens is what the user wanted to happen. Only in rare cases does something bad happen.
In short, from a user perspective, dialog boxes are impediments to productivity which provide no information. It's like giving shocks or food pellets to monkeys when they press buttons -- primates very quickly learn what gives them the good stuff and avoids the bad.
Modal dialog boxes are in general, badness -- and you'll see that more and more products rely less and less upon them. But they are particularly heinous when security is on the line. Security questions cannot be asked on a "retail" basis. The way users make security decisions is to set their policies appropriately and then let the security system enforce their wishes "wholesale".